Git Token Based Authentication

pkg/apiserver/apiserver.go

@@ -217,6 +217,7 @@ func (c completedConfig) New() (*PorchServer, error) {
 
 	resolverChain := []porch.Resolver{
 		porch.NewBasicAuthResolver(),
+		porch.NewTokenAuthResolver(),
 		porch.NewCaBundleResolver(),
 		porch.NewGcloudWIResolver(coreV1Client, stsClient),
 	}

pkg/registry/porch/secret.go

@@ -17,6 +17,7 @@ package porch
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
@@ -43,6 +44,9 @@ const (
 
 	//Secret.Data key required for the caBundle
 	CaBundleDataName = "ca.crt"
+
+	//Secret.Data key substring required for the token
+	TokenDataName = "token"
 )
 
 func NewCredentialResolver(coreClient client.Reader, resolverChain []Resolver) repository.CredentialResolver {
@@ -143,6 +147,50 @@ func (b *BasicAuthCredential) ToAuthMethod() transport.AuthMethod {
 	}
 }
 
+// token based secret verification
+// same as basic auth e.g. username:password
+// but in token based auth username does not matter and password is the token itself
+func NewTokenAuthResolver() Resolver {
+	return &TokenAuthResolver{}
+}
+
+var _ Resolver = &TokenAuthResolver{}
+
+type TokenAuthResolver struct{}
+
+type TokenAuthCredentials struct {
+	Username string
+	Password string
+}
+
+func (b *TokenAuthResolver) Resolve(_ context.Context, secret core.Secret) (repository.Credential, bool, error) {
+	if secret.Data[strings.ToLower(TokenDataName)] == nil && secret.Type == core.SecretTypeOpaque{
+		return nil, false, fmt.Errorf("Token secret.Data key must be set as %s", TokenDataName)
+	}
+
+	return &TokenAuthCredentials{
+		Username: string("Username"),
+		Password: string(secret.Data[TokenDataName]),
+	}, true, nil
+}
+
+func (b *TokenAuthCredentials) ToString() string {
+	return b.Password
+}
+
+var _ repository.Credential = &TokenAuthCredentials{}
+
+func (b *TokenAuthCredentials) Valid() bool {
+	return true
+}
+
+func (b *TokenAuthCredentials) ToAuthMethod() transport.AuthMethod {
+	return &http.BasicAuth{
+		Username: string(b.Username),
+		Password: string(b.Password),
+	}
+}
+
 func NewCaBundleResolver() Resolver {
 	return &CaBundleResolver{}
 }

pkg/registry/porch/secret_test.go

@@ -20,6 +20,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/nephio-project/porch/pkg/repository"
 	"github.com/stretchr/testify/assert"
 	core "k8s.io/api/core/v1"
@@ -109,6 +110,84 @@ func TestCredentialResolver(t *testing.T) {
 	}
 }
 
+func TestTokenCredentialResolver(t *testing.T) {
+
+	testCases := map[string]struct {
+		readerSecret *core.Secret
+		readerErr    error
+
+		resolverCredential repository.Credential
+		resolverResolved   bool
+		resolverErr        error
+
+		expectedCredential repository.Credential
+		expectedErrString  string
+	}{
+		"secret has valid Data key": {
+			readerSecret: &core.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretName,
+					Namespace: secretNamespace,
+				},
+				Type: core.SecretTypeOpaque,
+				Data: map[string][]byte{
+					"token": []byte("d895131d6f99a3b65f4730e57a5989e8179be6b2"),
+				},
+			},
+			expectedCredential: &TokenAuthCredentials{
+				Username: "Username",
+				Password: "d895131d6f99a3b65f4730e57a5989e8179be6b2",
+			},
+		},
+		"secret has invalid Data key": {
+			readerSecret: &core.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretName,
+					Namespace: secretNamespace,
+				},
+				Type: core.SecretTypeOpaque,
+				Data: map[string][]byte{
+					"invalid": []byte("blah"),
+				},
+			},
+			expectedCredential: nil,
+			expectedErrString:  "error resolving credential: Token secret.Data key must be set as token",
+		},
+	}
+
+	for tn := range testCases {
+		tc := testCases[tn]
+		t.Run(tn, func(t *testing.T) {
+			reader := &fakeReader{
+				expectedSecret: tc.readerSecret,
+				expectedErr:    tc.readerErr,
+			}
+			credResolver := NewCredentialResolver(reader, []Resolver{
+				NewTokenAuthResolver(),
+				&fakeResolver{
+					credential: tc.resolverCredential,
+					resolved:   tc.resolverResolved,
+					err:        tc.resolverErr,
+				},
+			})
+
+			cred, err := credResolver.ResolveCredential(context.Background(), secretNamespace, secretName)
+			if err != nil {
+				assert.EqualErrorf(t, err, tc.expectedErrString, "Error should be: %v, got: %v", tc.expectedErrString, err)
+			}
+			assert.Equal(t, tc.expectedCredential, cred)
+			if cred != nil {
+				assert.Equal(t, cred.ToString(), "d895131d6f99a3b65f4730e57a5989e8179be6b2")
+				assert.Equal(t, cred.Valid(), true)
+				assert.Equal(t, cred.ToAuthMethod(), &http.BasicAuth{
+					Username: string("Username"),
+					Password: string("d895131d6f99a3b65f4730e57a5989e8179be6b2"),
+				})
+			}
+		})
+	}
+}
+
 func TestCaBundleCredentialResolver(t *testing.T) {
 
 	testCases := map[string]struct {